Brute Force Attacks
Time Complexity is Your Friend!!!
Most of us have heard of brute force attack before but in case you aren’t 100% certain what they are and what they do. just in case the concept is new to you let’s start with a quick primer into how they function and the relative time complexity involved.
- A brute force attack is at it’s core the cyber equivalent of trying every single key on a key-ring in a door until one works.
- In 2017 five percent of confirmed data breaches were the result of brute force style attacks.
- Computers manufactured in recent years are capable of processing a brute force crack on an 8 character alphanumeric password (upper and lowercase letters, numbers, and special characters in roughly two hours.
- Computers are fast enough to decrypt a weak encryption hash in a couple months.
Brute force attacks can also be an extremely useful way for IT professionals to test the security of their networks. Indeed, one of the measures of a system’s encryption strength is how long it would take for an attacker to be successful in a brute force attempt. Although often used by criminals for illegal purposes brute force can offer a backup option for password recovery if other methods have been exhausted.
Now that we know what a brute force attack is what is our best defense? Increasing time complexity based on password length. Below we can examine the computational complexity of a few different password lengths.
- As mentioned above 8 characters just is’t enough anymore. To quote someone around here, “If you’re using 8 characters, you’re doing it WRONG!!!”
• The time complexity calculation for 8 characters with NO special restrictions is O(96⁸) which results in 6,634,204,312,890,625 possibilities. - Being mindful that 8 characters can be hacked in two hours with no hash and mere months against a weak hash, what happens if we increase the length by just two more characters?
• The time complexity calculation at 10 characters increases to a time complexity of O(96¹⁰) which results in 66,483,263,599,150,104,576 possibilities. That requires 10,0000 more times the attempts. The 2 hours just became 2.28 years.
- Just over 2 years sounds like a safe place to be but you and I both know computers are becoming faster each and every day. For that reason I strongly suggest passphrases that are at least fourteen characters. I wonder what those extra 4 characters will do to the time complexity?
• Admittedly the math is starting to hurt my brain a bit but we can talk more about that later. Time complexity calculations at 14 characters increases to a time complexity of O(96¹⁴) which results in 5,646,733,123,551,136,024,526,585,856 possibilities. That requires 8,493,465.5 more times the attempts than the ten characters. Now we gone not from 2 hours or 2.28 years but all the way to 19.365 MILLION YEARS!!!
What does this mean for you and I? I don’t know about you personally but I will never use a passphrase less than 14 characters unless the system doesn’t allow the length. I might not have millions of dollars lying around just yet but the information I do have is priceless to me. Helpful passphrase creation requires being both memorable and random. Your favorite music lyrics turned into letters might not cut it. There’s a helpful short video from Khan Academy’s free online cryptography class to help illustrate the point.
For the free online calculators I used for the math visit Omni Calculators
